From a9e8d80332d37e00d3e07237cd042dcf248991de Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 11 2022 04:36:09 +0000
Subject: import rpm-4.14.3-21.el8


---

diff --git a/SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch b/SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
index cb4e00f..7d4e85b 100644
--- a/SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
+++ b/SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
@@ -1,4 +1,4 @@
-From 92d942a2da619852c2b223e09a645110e867fc67 Mon Sep 17 00:00:00 2001
+From 82c53e4b7f720012a391d8f6e5da9ee3c4f22bed Mon Sep 17 00:00:00 2001
 From: Demi Marie Obenour <demi@invisiblethingslab.com>
 Date: Thu, 6 May 2021 18:34:45 -0400
 Subject: [PATCH] Validate and require subkey binding signatures on PGP public
@@ -18,22 +18,25 @@ Combined with:
 5ff86764b17f31535cb247543a90dd739076ec38
 b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
 9f03f42e2614a68f589f9db8fe76287146522c0c
+b6dffb6dc5ffa2ddc389743f0507876cab341315 (mem-leak fix)
+ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 (use-after-free fix)
 
 Fixes CVE-2021-3521.
 ---
- rpmio/rpmpgp.c                                | 123 +++++++++++++++---
+ rpmio/rpmpgp.c                                | 122 +++++++++++++++---
+ sign/rpmgensig.c                              |   2 +-
  tests/Makefile.am                             |   3 +
  tests/data/keys/CVE-2021-3521-badbind.asc     |  25 ++++
  .../data/keys/CVE-2021-3521-nosubsig-last.asc |  25 ++++
  tests/data/keys/CVE-2021-3521-nosubsig.asc    |  37 ++++++
  tests/rpmsigdig.at                            |  28 ++++
- 6 files changed, 224 insertions(+), 17 deletions(-)
+ 7 files changed, 224 insertions(+), 18 deletions(-)
  create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
  create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
  create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
 
 diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
-index 46cd0f31a..fbb131a28 100644
+index 46cd0f31a..bd4992ec7 100644
 --- a/rpmio/rpmpgp.c
 +++ b/rpmio/rpmpgp.c
 @@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
@@ -76,7 +79,7 @@ index 46cd0f31a..fbb131a28 100644
      }	break;
      default:
  	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
-@@ -999,36 +997,128 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+@@ -999,36 +997,127 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
      return algo;
  }
  
@@ -178,12 +181,11 @@ index 46cd0f31a..fbb131a28 100644
 -	p += (pkt.body - pkt.head) + pkt.blen;
 +	if (selfsig) {
 +	    /* subkeys must be followed by binding signature */
-+	    if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
-+		if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
-+		    break;
-+	    }
++	    int xx = 1; /* assume failure */
 +
-+	    int xx = pgpVerifySelf(digp, selfsig, all, i);
++	    if (!(prevtag == PGPTAG_PUBLIC_SUBKEY &&
++		  selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING))
++		xx = pgpVerifySelf(digp, selfsig, all, i);
 +
 +	    selfsig = pgpDigParamsFree(selfsig);
 +	    if (xx)
@@ -213,7 +215,7 @@ index 46cd0f31a..fbb131a28 100644
      if (ret && rc == 0) {
  	*ret = digp;
      } else {
-@@ -1063,8 +1153,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+@@ -1063,8 +1152,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
  		digps = xrealloc(digps, alloced * sizeof(*digps));
  	    }
  
@@ -223,6 +225,19 @@ index 46cd0f31a..fbb131a28 100644
  	    /* Copy UID from main key to subkey */
  	    digps[count]->userid = xstrdup(mainkey->userid);
  
+diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
+index 771d01098..b33fe996c 100644
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -409,7 +409,7 @@ static int haveSignature(rpmtd sigtd, Header h)
+ 	pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2);
+ 	if (pgpDigParamsCmp(sig1, sig2) == 0)
+ 	    rc = 1;
+-	pgpDigParamsFree(sig2);
++	sig2 = pgpDigParamsFree(sig2);
+     }
+     pgpDigParamsFree(sig1);
+     rpmtdFreeData(&oldtd);
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index 5f5207e56..309347262 100644
 --- a/tests/Makefile.am
@@ -382,5 +397,5 @@ index 09fcdd525..a74f400ae 100644
  # Test pre-built package verification
  AT_SETUP([rpmkeys -K <signed> 1])
 -- 
-2.33.1
+2.34.1
 
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index a2796e0..c1ae824 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -32,7 +32,7 @@
 
 %global rpmver 4.14.3
 #global snapver rc2
-%global rel 20
+%global rel 21
 
 %global srcver %{version}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -692,6 +692,9 @@ make check || cat tests/rpmtests.log
 %doc doc/librpm/html/*
 
 %changelog
+* Mon Jan 10 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-21
+- Address covscan issues in binding sigs validation patch (#1958480)
+
 * Thu Dec 09 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-20
 - Add --path query option (#1940895)
 - Macroize find-debuginfo script location (#2019540)